SSL Automated Signatures

Similar documents
Polygraph: Automatically Generating Signatures for Polymorphic Worms

Automated Signature Generation: Overview and the NoAH Approach. Bernhard Tellenbach

Collaborative Intrusion Detection System : A Framework for Accurate and Efficient IDS. Outline

CIH

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Overview Intrusion Detection Systems and Practices

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

Basic Concepts in Intrusion Detection

9. Security. Safeguard Engine. Safeguard Engine Settings

Handling Web and Database Requests Using Fuzzy Rules for Anomaly Intrusion Detection

Misleading Worm Signature Generators Using Deliberate Noise Injection

Exam : Title : Security Solutions for Systems Engineers(SSSE) Version : Demo

(2½ hours) Total Marks: 75

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT

Intrusion Detection Systems

Information Security CS 526

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

Access Control Using Intelligent Application Bypass

Activating Intrusion Prevention Service

D1.2: Attack Detection and Signature Generation

CRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK

A Firewall Architecture to Enhance Performance of Enterprise Network

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Review on Data Mining Techniques for Intrusion Detection System

CSE 565 Computer Security Fall 2018

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

DO NOT OPEN UNTIL INSTRUCTED

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Polymorphic Blending Attacks. Slides by Jelena Mirkovic

Cisco Intrusion Prevention Solutions

Connection Logging. Introduction to Connection Logging

CS System Security 2nd-Half Semester Review

Securing Your Microsoft Azure Virtual Networks

Connection Logging. About Connection Logging

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

PROVING WHO YOU ARE TLS & THE PKI

Intrusion Detection Systems (IDS)

Securing Your Amazon Web Services Virtual Networks

Data Security and Privacy. Topic 14: Authentication and Key Establishment

An advanced data leakage detection system analyzing relations between data leak activity

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

How to Configure IPS Policies

SPIDeR. A Distributed Multi-Agent Intrusion Detection and Response Framework. Patrick Miller

IPS-1 Robust and accurate intrusion prevention

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

Configuring Anomaly Detection

AUTOMATED SECURITY ASSESSMENT AND MANAGEMENT OF THE ELECTRIC POWER GRID

UMSSIA INTRUSION DETECTION

Current Trends in Network Intrusion Detection Techniques

Diverse network environments Dynamic attack landscape Adversarial environment IDS performance strongly depends on chosen classifier

A Novel Approach to Detect and Prevent Known and Unknown Attacks in Local Area Network

The Protocols that run the Internet

Limits of Learning-based Signature Generation with Adversaries

Compare Security Analytics Solutions

White Paper February McAfee Network Protection Solutions. Encrypted Threat Protection Network IPS for SSL Encrypted Traffic.

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

A Hybrid Intrusion Detection System Of Cluster Based Wireless Sensor Networks

Survey of Polymorphic Worm Signatures. Mesra, Ranchi, India. Mesra, Ranchi, India. Abstract

Intrusion Detection Systems (IDS)

OpenWay by Itron Security Overview

Coordinated Threat Control

(WHASG) Automatic SNORT Signatures Generation by using Honeypot

Configuring Anomaly Detection

Overview. SSL Cryptography Overview CHAPTER 1

ANOMALY DETECTION IN COMMUNICTION NETWORKS

Self-Learning Systems for Network Intrusion Detection

OSSIM Fast Guide

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

CS 356 Operating System Security. Fall 2013

intelop Stealth IPS false Positive

Forensic Network Analysis in the Time of APTs

Introduction Challenges with using ML Guidelines for using ML Conclusions

CHAPTER V KDD CUP 99 DATASET. With the widespread use of computer networks, the number of attacks has grown

Vidder PrecisionAccess

Defending against Polymorphic Attacks: Recent Results and Open Questions

Automated Network Anomaly Detection with Learning and QoS Mitigation. PhD Dissertation Proposal by Dennis Ippoliti

Cyber Moving Targets. Yashar Dehkan Asl

Improving Control System Cyber-State Awareness using Known Secure Sensor Measurements

Intrusion Detection System

SSL/TLS Vulnerability Detection Using Black Box Approach

Network Intrusion Detection with Semantics-Aware Capability

IDS: Signature Detection

CSE543 - Computer and Network Security Module: Intrusion Detection

CSE543 - Computer and Network Security Module: Intrusion Detection

Advanced Diploma on Information Security

Evading Network Anomaly Detection Sytems - Fogla,Lee. Divya Muthukumaran

2. INTRUDER DETECTION SYSTEMS

NetDetector The Most Advanced Network Security and Forensics Analysis System

"GET /cgi-bin/purchase?itemid=109agfe111;ypcat%20passwd mail 200

Network Intrusion Detection with Semantics-Aware Capability W. Scheirer, M. Chuah {wjs3, Department of Computer Science and

Multi-VMs Intrusion Detection for Cloud Security Using Dempster-shafer Theory

PolyS: Network-based Signature Generation for Zero-day Polymorphic Worms

Help Your Security Team Sleep at Night

Configuring Anomaly Detection

A Modular Approach for Implementation of Honeypots in Cyber Security

Symantec Ransomware Protection

Transcription:

SSL Automated Signatures WilliamWilsonandJugalKalita DepartmentofComputerScience UniversityofColorado ColoradoSprings,CO80920USA wjwilson057@gmail.com and kalita@eas.uccs.edu Abstract In the last few years there has been considerable research on automated intrusion signature generation. Automated signature generation helps mitigate the limitation signature based intrusion detection systems have with classifying novel exploits. The problem has been approached with a few different solutions. Systems that generate automaton based on system calls typically provide the least false negatives and least false positives, however they are significantly more resource intensive than basic signatures. In many cases they also require changes to each application they protect. Even though signatures that are generated using features extracted fromnetworkpayloadandprotocolcontextarenotasrobustasautomatonmodelingillegaloperations,theyare muchfastertobothgenerateandevaluate.thesslautomatedsignatures(sas)reportedheresystemfallsinthe categoryofruleinductionsystems.itcombinesmanyoftheadvantagesofbothhostbasedandnetworkbased intrusiondetection.itovercomesthelimitationsthatnetworkintrusiondetectionhaswithencryptedtrafficand novelexploits.thecomputationalexpenseandhighfalsepositiverateofclassichostbasedanomalydetectionis mitigatedthroughthecombinationofruleinductionandsensorcollaboration. 1 Introduction 1.1 Intrusion Detection Withtherapidgrowthofsociety sdependenceoninformationsystems,theriskfrommaliciousactivity has also grown rapidly. Intrusion detection systems provide some control against malicious activity. Intrusion detection systems look for patterns that are either known to be malicious or are not encountered during normal operations, then either prevent the activity or alert an administrator. Intrusiondetectionsystemsaregenerallyclassifiedintwosetsofcategories:networkorhostbased,and signatureoranomalybased.combinationswithinthesetsareusuallyreferredtoashybridsystems. Figure 1: Intrusion Detection System Types A signature based system utilizes expert knowledge to detect exploits. Signature based detection

systems are fast compared to anomaly based systems and are very accurate in detecting known exploits. The main drawback of signature based systems is their inability to detect most novel and obscuredexploits. Anomybasedsystemsanalyzeeithernetworktrafficorstatesofindividualhosts.Manyanomaly based systems that use network traffic rely on protocol information of network traffic as opposed to packet content.thesesystemsbuildprofilesofprotocolbehaviorforthedifferenthostsandgeneratealerts when traffic deviates from the profile. The advantage of anomaly based systems is they can detect novelexploitsthatcannotbeclassifiedusingsignatures. Networkbasedsensorsareusuallydedicatedhoststhatreadalldatafromanetworksegmentforusein detectingattacks.theprimaryadvantageofnetwork basedsensorsisintheirviewofanentirenetwork segment. A network sensor can detect if the same source was attempting to access multiple destinationsnearthesametime,whilesensorswithouttheabilitytoseetheentirenetworkcouldnot detectthosetypesofpatterns.networksensorsarealsonecessarytodetectattacksagainstnodesthat donothosttheirownintrusiondetectionagents,suchasmanyrouters,switches,andhoststhateither don thaveorcan tsparethenecessaryresources. Ahostbasedintrusiondetectionsystemisprettymuchexactlyasitsounds.Itinvolvesagentsthatrun on end systems. Host based intrusion detection systems can monitor operating system state, applicationstate,orevaluateprocessesandtrafficbasedonsignatures.itiscommonforhoststohave severalautonomousintrusiondetectionprogramsthatdonotinteractatall,whichleadstoscalability problems.whenaseparateagentisneededforeachprogram,theoverheadissignificant.however,a singleagentthatunderstandsthevalidoperationsofeveryprogramisimpractical.asmentionedinthe previoussection,themainadvantageofhostbasedsystemsisthatitcanmonitorstate,soitcandetect ifarequestwassuccessfulandifseeminglynormaltrafficleadstoaninvalidstate. Systemsthatcontainmorethanonecooperativehostornetworkbasedsensorareusuallyreferredtoas distributedintrusiondetectionsystems. 1.2 Automated Signature Generation Automated signature generate (ASG) refers to the process of dynamically creating rules for detecting networkintrusions.thestrictdefinitionofautomatedsystemgenerationshouldonlyincludesignature based intrusion detection systems; however modeling for anomaly based detection is frequently associated with ASG. In the last few years there has been considerable research on this topic. Automated signature generation helps mitigate the limitation signature based intrusion detection systems have with classifying novel exploits. Up until the advent of automated signature generation systemsthebestsolutiontoalertagainstnovelattackswastoemployanomalydetectionagentsonthe networkandoncriticalhosts.signaturesareonlyabletodetectexploitsagainstknownvulnerabilities. Anomaly detection systems are used to look at changes in usage network or application patterns or invalidstatesonahost.thisadditionalinformationgivesthemtheabilitytodetectexploitsonzeroday vulnerabilitiesthatwouldeasilypassthroughasignature basedsystem. Automatedsignaturegenerationhelpsfillthegaptoallowsignaturebasedsystemstodetectattackson novel exploits, which gives security experts time to analyze the vulnerability and create permanent signatures. ASG systems use data from anomaly detection systems and honeypots as input to their learningalgorithms.theoutputsaredeployablesignatures. Thequestioncanstillbeaskedastowhyuseautomaticallygeneratedsignaturesatallwhenanomaly detection can detect these zero day vulnerabilities. The answer is in the mean resource utilization requiredtodetectanattackwithhighconfidence.insomecases,theattackmightnotbedetecteduntil

after it was successful. In these cases, the automatically generated signature will protect other hosts even though it has already caused damage to at least one host. In other cases, the signature can be usedonhostsornetworksensorsthatdonothavetheresourcesforanomalydetection.evenonhosts thatusedanomalydetectiontosuccessfullythwarttheattack,theuseofasignaturewillprotectagainst futureattackswithoutrequiringtheperformancetaxassociatedwithanomalydetection. Oneofthemostaccuratemethodsformodelgenerationisananalysisofsystemcalls.Therehavebeen severalintrusiondetectionsystemsbasedonthisconcept.(wagner,etal.,2001)describeasystemin whichstaticanalysisisusedtocreatepushdownautomatathatmodelsalloftheallowedsystemcalls foranapplication.theresultsintermsofdetectionrateandfalsepositiveratewereverypromising,but the resources required for both generation and evaluation of the automata limited the scalability to applicationsupto32,000lines.(gopalakrishna,etal.,2005)describeasimilarsystemas(wagner,etal., 2001)thatusesinlineautomatonmodels.Theirsystemgreatlyreducescomplexitywithoutasignificant raiseinthefalsenegativerate. Evenwiththereducedcomplexityofinlineautomatonmodels,anomalydetectionsystemssuchasthis areconsiderablymorecomputationallyintensivethansignaturesbasedonnetworktraffic.mostofthe original work in generation of network based intrusion detection systems used longest common substringsfoundinknownnetworkflowsknowntobeanomalous(kreibich,etal.,2003).inthelastfew years,theasgsystemsandtheirresultingsignatureshavebeengrowingmorecomplex.thenemean systemcreatessemanticawaresignatures(yegneswaran,etal.,2005).nemeanbuildsuponthetheory from Autograph, Earlybird, and Honeycomb and adds a component of normalization and application awareness.thesslautomatedsignaturessystemdescribedinthispaperbuildsontheconceptsused in Nemean with improvements in methods use to separate anomalous data from normal data, use of protocolcontextinformation,andinthenumberofsupportedprotocols. 1.3 Feature Selection Featureselectionandweightingarekeyfactorsinautomatedsignaturegeneration.Thebasisofmany networkanomalybasedintrusiondetectionsystemsisanalysisofprotocolcontext.networkanomaly detection relies on creating a baseline for normal protocol behavior and determining when there is a deviation.inthe1999kddcupcompetition,mostofdatawasnetworkprotocolandoperatingsystem contextdataextractedfromthe1998darpaintrusiondetectiondataset.the1998darpaintrusion detectiondatasetcontainedprimarilydenialofserviceexploitsthatcouldbedetectedusingprotocol contextandafewcommonpayloadstrings.forcasessuchasthedenialofserviceattackspresentin the1998darpadataset,featureselectionisrelativelysimpleandcouldbecapturedinthe47features usedinthe1999kddcup. Theusertorootandremotetolocalexploitclassesprovedmoreofaproblemforfeatureselection.For the 1999 KDD Cup, features specific to the protected application needed to be selected using expert knowledge. The developers of the KDD 1999 data set extracted content strings statically from the payloadbasedonananalysisoftheexploitscontainedinthetestset.whenleavingtheconfinesofa small test set a more dynamic approach is needed for feature selection. Modeling the intended behavior of an application is one approach, but it has scalability limits (Yegneswaran, et al., 2005). Anotherapproachistomodelbehaviorthatiscommoninexploitsagainstanapplication.Forexample, (Kloft,Brefeld,Dussel,Gehl,&Laskov,2008)usetraitsthatarecommonlyfoundinmaliciouswebtraffic, such as excessively long URLs and POST variables, non printable characters, control characters, and otheruncommoncharactersasabasisforfeatures. These types of models require expert knowledge about the protected application or the class of vulnerability exploited. When there isn t knowledge about the exploit available to the intrusion

detectionsystem,genericalgorithmsmustbeusedtofindsimilaritiesinanomalouspayloads.longest common substrings from payloads can be used after removing similarities from normal traffic. Polymorphic worms will slip past detection when using longest common substrings. Polygraph uses a statistical analysis of short payload substrings to find invariant segments in polymorphic payloads (Newsome, Karp, & Song, 2005). This technique performs reasonably well without any application specific knowledge. The intent of the SSL Automated Signatures (SAS) system is to protect against applicationvulnerabilitiesandnottoprotectfromworms,however,theconceptusedinpolygraphstill providesausefultechniqueforpayloadanalysiswithoutanyexpertknowledge. SASusesamulti tierapproachforfeatureselection.protocolfeaturesatthenetworkandssllayerare used as a first tier. The second tier includes application knowledge to find features in decrypted payloads. The third tier uses an algorithm similar to what was used in Polygraph to find correlations withtheabsenceofexpertknowledge. 2 Learning in Intrusion Detection 2.1 Rule Induction Once anomalous data is separated into categories and features have been selected, one can use rule induction to create signatures. The general concept of rule induction is to evaluate the values of the featureagainstthesetofclassestomaximizegain(quinlan,1993). TherawoutputofagreedyentropyminimizationalgorithmsuchasC5canbeusedasbasicsignatures. Iftheprocessforobtainingandlabelingdataisnotguaranteedaccurate,theresultingrulesshouldnot betreatedasabsolutetruths.theerrorratedeterminedfromtheinductiontestandtrainingdatamust becombinedwiththeconfidencefromtheanomalydetectionandcollectionsystemtocreateasetof possible classifications with probabilities for the rule sets. The use of probabilities on rule sets also allowsformorepruningthandiscreetrules.inthiscase,aneventmaymeetthecriteriaformorethan one rule and a classification decision will be calculated according to the probabilities of the triggered rules. 2.2 Collaboration and Data Fusion The SSL Automated Signature system requires collaboration in both anomalous data collection and combining generated signatures. Plurality voting, neural networks, Dempster Schafer, and Bayesian Inferencewereevaluatedforuseinthisproject.Pluralityvotingisthefastestandinmostcasesitisthe least accurate. When using plurality voting, the features with the most votes are selected for a classificationrule.neuralnetworkscanbeemployedinafewdifferentways.forthisprojecttheywere evaluated to determine weights each feature. As new decision trees were induced, the weights associatedtoeachclassifierwereadjusted.bayesianinferencechangestheprobabilityofaneventas newevidenceisintroduced.asnewevidenceisintroducedtheposteriorprobabilityiscalculatedusing thepriorprobability,theconditionalprobability,andthemarginalprobability.dempster Shafertheory is a method for combining evidence that is based on Bayesian theory. It introduces concepts of ignorance, belief, disbelief, and plausibility instead of probabilities. This removes the requirement for

prior probabilities on all features and accommodates for feature sets that do not have complete intersections(alani,etal.,2002). 3 SSL Signatures 3.1 SSL and Limitation of Current Systems Most of the current systems in automated signature generation are designed to thwart new worms. Theyarenotabletoclassifyattacksthatareencryptedordonothavesufficienttraffictoshowupusing theiranomalousdatacollectiontechniques. The SSL Automated Signature systems provides both a new approach at evaluating signatures and improvesonexistingtechniquesforcollectinganomalousdata. The Secure Sockets Layer (SSL) is a presentation layer protocol that provides confidentiality and integrity. It uses symmetric cryptography to encrypt application data and uses a key message authenticationcode(mac)toensuredatagramintegrity(dierks,etal.,1999).theprotocolallowsfor secure key negotiation and mutual authentication. It is designed to provide a flexible framework. Parameters such as encryption algorithm and bit length can be negotiated between hosts. This also allows for implementations of SSL to update the underlying encryption algorithms with relative ease. Sinceitisdefinedasapresentationlayerprotocol,itisindependentofapplicationlayerprotocols.This allowsittobeintegratedintocountlessapplications. One of the most common implementations of SSL is OpenSSL. The most recent version of OpenSSL provides support for each version of the SSL specification including TLSv1. OpenSSL makes it easy for programmers to secure their network communication. The push for security and the ease of use of librariessuchasopensslhasimprovedconfidentialityofinternetcommunicationswhilecreatinganew issue.securitycontrolssuchasnetworkinstructiondetectionsystemsandproxyfirewallsarenolonger abletoinspectthecontentoftheapplicationpayload.theaddedassurancetoconfidentialitydoesnot remove any application vulnerabilities. In most cases applications are just as vulnerable to buffer overflowandotherattacksthatresultinnotproperlycheckinginput.whilesslcanbeusedtomutually authenticateaclientandserver,thisfeatureisnotalwaysused.thecasewithoutauthenticationcanbe vulnerabletomaninthemiddleattacksorotherformsofimpersonation. TheuseofanSSLterminationproxyisonesolutiontohelpdetectanomaliesindataencryptedwithSSL. Thesesystems,however,haveafewlimitations.Fromthefunctionalityperspective,theyarelimitedby theirprocessingpowerandthespeedoftheirnetworkinterface.theresourcesrequiredtoterminate, inspect,andthenrecreateansslsessionlimitsthescalabilityofthesedevices.theyarealsoconsidered bysomesecurityexpertstocreateasecurityvulnerabilityjustasbadastheonetheyaresolving.since thesedevicesaretrustedtoactonthebehalfofclientsbyterminatingtheirsslsessions,theymustbe truly trusted devices. If one of these appliances exploited, the attacker has access to every flow that movesthroughit. Anothersolutiontoallowinspectionofthedataispushingtheresponsibilityofintrusiondetectionand responsedowntothehost.inadditiontobeingabletodecryptdatapriortoinspection,theuseofhost intrusiondetectionbringsadvantagessuchasbeingabletomonitorthestateofthesystemandblock theexecutionofcode. TheconceptofSSLsignaturesisbeingintroducedaspartoftheSSLAutomatedSignaturessystem.The SSL signature component introduces the ability to evaluate SSL payload and protocol context prior to returningareadrequesttoanapplication.evenwithoutthedynamiccapabilityofthesassystem,ssl signaturesstillprovidevaluableprotectionbecausetheyareabletoreaddataafterdecryptionanduse fewerresourcesthananomalybasedhostintrusiondetectionsystems.

3.2 SAS Signature Generation InexamplesliketheDARPA1998testset,themajorityoftheanomalousdataisfromdenialofservice attacks.fordenialofserviceattacks,protocolanalysiswithlimiteduseofpayloadfeaturesisadequate. For remote to local, user to root attacks and other types of data access exploits this is often not the case. The SSL signature architecture makes use of TCP/IP protocol features, as well as SSL protocol features,andpayloadfeaturestoassistinclassifyingexploitsthataretailoredtowardsdataaccess.the intrusiondetectionmessageexchangeformat(idmef)dtdprovidesthetemplateforfeaturesthatare evaluated.itincludesthetcp/ipfeaturesthatareseenintraditionalintrusiondetectionsystemsand add some entities for upper layer protocol information. It also includes impact, category, and data sourceentities.theadditionalsslprotocoldataisaddedasanewentity.atthisstageofdevelopment, thesystemerrsonthesideoftoomuchdata.mostofthepropertiesthatareprovidedbytheopenssl encryptioncontextstructuresaredefinedinthesslentity.astestingprogresses,unneededattributes willberemoved. Thesignaturegenerationcomponentreliesontheresultsfromtheframeworkforsensorcollaboration. When the signature generation component gets data, it is expected that data has already been normalizedandassignedconfidencevaluesfromthesensorcollaborationcomponent. Thepayloadfeaturesarenotassimpletodefineastheprotocolcontextfeaturesunlessknowledgeof anapplicationisused.innon obfuscatedatomicattacks,alongestcommonsubstringcanbeusedto extractrelevantinformationfromapayload.eventhoughitisnotsufficientformanyattacks,itisworth includingasalowcomplexityfirstpass.adisadvantageofthelongestcommonsubstringmethodisit willgeneratesignaturesthatarelongerthanneededtobetoclassifytheattack.itwillalsooftenmiss components that are common to normal traffic, but are required as part of the attack. To improve accuracy over the longest common substring method, sets of smaller byte sequences are evaluated. Severalmethodsforcomparingstringswereevaluatedforoptimalperformanceandaccuracy.Settinga minimumandmaximumthresholdforbytesequencecanbeusedtocreatesmallersignaturesthanthe longest common substring method with comparable accuracy. To further increase accuracy, exact matchesatthebitlevelareevaluatedforthefirst32bitsofthepayload.thisisusedtohelpcapture applicationdirectivesthatarefrequentlyfoundatthebeginningofthepayload.atthistimeonlyunions ofthesetsarebeingevaluated.inthefuture,orderingandmorecomplexbooleanexpressionswillbe evaluated. Individual rules are generated using established rule induction techniques. Code from the C4.5 applicationisusedforthebasisoftheruleinductioncomponent.sincetheconfidenceofeachrulecan belowandthefeaturesselectedforeachrulemightnotbecomplete,therulesarecombinedasnew dataispresentedtothesystem.themethodproposedin(alani,etal.,2002)isbeingevaluatedforuse incombiningtherules.ithasahighercomputationalcostforcombininginitialsetsofclassifiersthan othersystemsbasedonsimilartheory,butcostdecreasesforadditionalclassifiersastheyareadded. Partofthecombiningprocessreducesthecomplexityofeachrule.Featureswithahighconfidencethat arepresentinmostrulesareincludedintheprimaryrulewithahighconfidence.inordertoprevent loss of decisions based on features that were not consistent in the data provided to the combiner process,supplementaryrulesaregeneratedwithalowconfidence.useofthesupplementaryrulesis helpfulinraisingtheconfidencewhentheprimaryruledoesnotprovideahighenoughconfidenceto createanalert.mostintrusiondetectionsystemsonlyhaveclassifiersformaliciousdata.thedynamic nature of the SAS and the simplified signatures creates an issue that an event may have a high confidence in different classes. When all of the classes are malicious, the impact of an overlap is minimal, but one must also take the normal class into account. To ensure that the overlap is not the resultofthetrafficactuallybeingnormal,signaturesareincludedtoclassifynormalevents.ingeneral, thetriggerfortheclasswiththehighestconfidenceisexecuted.

3.3 SSL Interception Architecture TheSSLAutomatedSignatures(SAS)systemhastheuniqueabilitytonotjustlookattrafficasitcomes fromthenetworkinterface,butitcanalsoevaluatedecryptedssltrafficandmetadata.themetadata includes information such as the typical TCP/IP features, SSL connection state, SSL alert value, SSL version,encryptionalgorithm,andafewotherattributes. TheSSLsignatureevaluationprocesshooksintotheSSL_ReadfunctionofOpenSSL.Whenasignatureis triggered,theuser_cancellederrorisraisedinopenssl.thistriggersthesslconnectiontoclose. Figure 2 SSL Signature Flow FordynamicgenerationofSSLsignatures,afewcomponentsinadditiontothesignatureevaluationare required.inordertoassociateanomalieswithssltraffic,arotatinglogfileisused.onthesassystems, every read and write and their associated metadata is stored. When an anomaly is detected the host_agent requests SSL data from the relevant time and protocol so it can be used for signature generation. 3.4 Signature Structure The signatures structure of SAS is a compromise between succinct signatures and complex fuzzy signatures.thefirsttierofsignaturesisinthesnortformat.thesesignaturesdon tcontainanyfuzzy information, but the action of the signature indicates if a fuzzy signature should be evaluated. This allowsthesignatureprocessortoquicklymoveoversignaturesthatareclearlyirrelevant. Thisexamplecreatesanalertwithoutanyadditionalprocessing: alert ssl $SRC_NET $SRC_PORT -> $DST_NET $DST_PORT (content: " PAYLOAD_SEG1" && "PAYLOAD_SEG2" ; ssl_options: "v2,aes168,md5,dh") Changing the rule to a trigger rule will make it so it will trigger additional rules. The trigger rule also needs to list the rule_id so the system can look up follow on rules in the rule database. This small changeenablesconvertsastrictruleintoatriggerforafuzzyrule:

trigger ssl $SRC_NET $SRC_PORT -> $DST_NET $DST_PORT (content: " PAYLOAD_SEG1" && "PAYLOAD_SEG2"; ssl_options: "v2,aes168,md5,dh"; rule_id:32767) Thefollowonrulesaresetsofprobabilitiesstoredinarelationaldatabasethatcanbereferencedbythe rule_id.arecordinthedatabaseisaconditionalprobability,p(class Event)=probability,wherethe Eventcanbeasingleobservationoracombinationofobservations,includingnegations.Forexample P(some_class PAYLOAD_SEG1 Λ PAYLOAD_SEG2 Λ (content_feature1 V content_feature2)) requires three conditions to be met to include the probability. Bayesian inference is used combine probabilitiesofrelevantrulestodeterminethemostprobableclass. 4 Results Theproofofconceptmodelwasevaluatedusingapplicationsdesignedwithintentionalsecurityflaws. Theintentionalsecurityflawsinsimpleapplicationsprovidedacontrolledenvironmentfortesting.The host anomaly detection components were designed with knowledge of the expected behavior of the testapplications.thetestapplicationsprimarilyincludedvulnerabilitiesfromuncheckedinputs.atthis time, all of the attacks used against the applications were atomic so a correlation could be made between data captured from the SSL intercept component and the anomaly detection agents without theadditionalstatetrackingrequiredtodetectcompositeattacks. Theapplicationsincludedanemulationofawebserverandatwosimpleclient serverapplication.the emulatedwebservercontainedsampleapplicationsthathadsqlinjectionvulnerabilitiesandscripting errors from unchecked inputs. The client server applications contained mostly buffer overflow vulnerabilities.thetestapplicationsalsocontainedsomecompletelysyntheticvulnerabilities,inwhich theapplicationswouldcreatelogentrieswhencertaininputconditionsweremetthatwouldallowthe anomalysensorstobelievetherewasanattack.thiswasnecessarysothetestsetcouldbeexpanded pastcommonexploitclasses. Scripts were used to generate test data. Semi random permutations of valid input were provided for 98%oftheinputcases.Fortheremaining2%ofthetestdata,randomlyselectedexploitswereused. Theexploittestsetincludedcaseswithvalidinputsmixedwithmalicious,randommixedwithmalicious, andstrictlymalicious.thetestswiththesescriptshadahighdetectionrate,butwhentechniqueswere usedtoattempttoconfusethesignaturegenerationsystemthefalsepositiverateincreased. Predicted Actual Normal BufferOverflow Injection Unique % Correct Normal 9745659 36902 14962 2477 99.45 BufferOverflow 172 74774 25 29 99.70 Injection 207 56 74658 79 99.54 Unique 266 64 93 49577 99.15 %Correct 99.99 66.88 83.28 95.04 Figure 3 Results Theadditionalscriptcreatedinputswithdifferentmalicioussegmentsanddatathatcontainedseveral setsofidenticalsegmentsthanarecommonlyseeninnormaltraffic.thiscausedhigherfalsepositive and lower true positive rates because some of the generated signatures contained primarily normal segments.apossiblesolutiontothisattackagainstthesignaturegenerationsystemistoincludemore training with known normal data to reduce the weight of the normal segments when they are intentionallyinjectedwithmaliciousdata. Predicted Normal BufferOverflow Injection Unique %

Actual Correct Normal 9706465 59456 27333 6746 99.05 BufferOverflow 438 81995 28 39 99.39 Injection 506 60 81802 78 99.15 Unique 498 66 99 54337 98.80 %Correct 99.99 57.92 74.87 88.79 Figure 4 Results with obfuscation Whencollapsingthecategoriestoonlynormalormalicious,theF 1 scoreforretrievingofnormaldatain thefirstexperimentis0.9954.whenaddingtheobfuscationscript,thescoredropsto0.9903.dueto theamountofnormaldatathereisn tasubstantialchange,butthedifferencecanbeeasilyseeninthe rawdata. 5 Future Work Atthispoint,allofthetestsaresyntheticusingproofofconceptapplications.Thesystemwillnothave anyrealvalueuntilitcanbesuccessfullyintegratedintorealapplications. Amajordrawbackfromthemethodusedtotesttheproofofconceptapplicationisthatthetypeofdata usedfortestingwasthetypeexpectedbythesystem.italsohadmoremaliciousdatainthetrainingset thanwouldbeseenwhencollectingfromalivenetwork.agreaterthan0.99f 1 scoreintheproofof conceptmodelispromising,butforausableintrusiondetectionsystemthefalsepositiveratemustbe muchlower.workiscurrentlybeingdonetodecreasethefalsepositiverate,butthemodulesarenot readytobeintegratedintothesystemfortesting. Theframeworkforsensorcollaborationusedtocollectanomalousdataisstillunderdevelopmentandis limited in its ability to provide data from distributed and non atomic attacks. Once the framework is mature,workmustbedonetoensuresignaturereliabilityisnotlostwhendataisnotprovidedfroma controlledenvironment. 6 Works Cited AlAniAhmedandDericheMohamedAnewTechniqueforCombiningMultipleClassifiersusing Dempster ShaferTheoryofEvidence[Journal]. 2002. pages333 361:Vol.17. DierksTandAllenCTheTLSProtocolVersion1.0,RFC2246[Online]//IETF. 1999. http://www.ietf.org/rfc/rfc2246.txt. GopalakrishnaRajeevandSpaffordEugeneEfficientIntrusionDetectionusingAutomatonInlining [Online]/prod.PrivacyProceedingsoftheIEEESymponiumonSecurityand. May2005. http://homes.cerias.purdue.edu/~rgk/papers/gopalakrishnar_automaton.pdf. KloftMarius[etal.]AutomaticFeatureSelectionforAnomalyDetection[Journal]//AISec. 2008. KreibichChristianandCrowcroftJonHoneycomb CreatingIntrusionDetectionSignaturesUsing Honeypots[Journal]//InProceedingsoftheSecondWorkshoponHotTopicsinNetworks. 2003. NewsomeJames,KarpBradandSongDawnPolygraph:AutomaticallyGeneratingSignaturesfor PolymorphicWorms[Conference]//Proceedingsofthe2005IEEESymposiumonSecurityandPrivacy. 2005.

QuinlanJRossC4.5ProgramsforMachineLearning[Book]. SanMateo,CA:MorganKaufmann Publishers,1993. WagnerDavidandDeanDrewIntrusionDetectionviaStaticAnalysis[Journal]//Proceedingsofthe IEEESymposiumonSecurityandPrivacy. 2001. pp.156 169. YegneswaranVinod[etal.]Anarchitectureforgeneratingsemantics awaresignatures[conference]// InUSENIXSecuritySymposium. 2005.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback